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The task of implementing a supervisory controller is non-trivial, even though different theories ex- 
ist that allow automatic synthesis of these controllers in the form of automata. One of the reasons 
for this discord is due to the asynchronous interaction between a plant and its controller in imple- 
mentations, whereas the existing supervisory control theories assume synchronous interaction. As a 
consequence the implementation suffer from the so-called inexact synchronisation problem. In this 
paper we address the issue of inexact synchronisation in a process algebraic setting, by solving a more 
general problem of refinement. We construct an asynchronous closed loop system by introducing a 
communication medium in a given synchronous closed loop system. Our goal is to find sufficient 
conditions under which a synchronous closed loop system is branching bisimilar to its corresponding 
asynchronous closed loop system. 



1 Introduction 

The task of implementing a supervisory controller is non-trivial, even though different theories exist that 
allow automatic synthesis of these controllers in the form of automata. One of the reasons for this discord 
is due to the asynchronous interaction between a plant and its controller in implementations, whereas the 
existing supervisory control theories assume synchronous interaction. We elaborate on this mismatch by 
first introducing some terminology that is often used in supervisory control theory 1141 . 

Supervisory control theory provides an automatic synthesis of a supervisor that controls a plant in 
such a way that a corresponding requirement (legal behaviour) is achieved. In supervisory control theory 
terminology, 

• the model that is to be controlled is known as plant, 

• the model that specifies the requirement is known as specification, 

• the model that forces the plant to meet the specification by interacting with it is known as supervi- 
sor or controller. 

• the interaction between a plant and its supervisor is known as closed-loop behavior. 

The closed loop behaviour in supervisory control theory is realized by synchronous parallel composition. 
Informally, it allows a plant and a supervisor to synchronise on common events while other events can 
happen independently. 

One of the main drawbacks while implementing the interaction between a plant and its supervisor, 
synthesised by supervisory control theory, is inexact synchronization Q. In practical industrial appli- 
cations, the interaction between a plant and its supervisor is not synchronous but rather asynchronous. 
Due to the synchronous parallel composition used in supervisory control theory, the interaction between 
a plant and its supervisor is strict. By strict, we mean that either plant or supervisor has to wait for 
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the other party while synchronising. To overcome this problem it is important to study asynchronous 
communication between a plant and its supervisor where communications are delayed in buffers. 



Balemi was the first to consider the inexact synchronisation problem, and the solutions given in 



his PhD thesis §9 were in the domain of automata theory. In H, an input-output interpretation was 
given between a plant and its supervisor and a special delay operator was introduced to model the delay 
in communication between the plant and the supervisor. Moreover, for this setup the existence of a 
supervisor in the presence of delays was also shown in [4]. It was required that the output actions from 
a plant can occur asynchronously, while the output actions from a supervisor must occur synchronously 
ifTHl . In |[T8l this requirement was relaxed. Furthermore, necessary and sufficient conditions were also 
provided for the existence of a controller under bounded delay between a plant and its supervisor. 

The solutions provided in (4l QjO construct a new supervisor under the presence of bounded delay, 
which is a computationally expensive procedure. To circumvent this, we present sufficient conditions on 
a synchronous closed loop system under which the asynchronous closed loop system constructed from 
it, is a refinement of the given synchronous closed loop system. Moreover, the technique developed in 
this paper is independent of the size of buffers used. However, we do not analyse the computational 
complexities associated with the sufficient conditions presented in this paper. 

In this paper, we reformulate the inexact synchronisation problem as a problem of refinement in 
the process algebra TCP (3). The synchronous closed loop system can be considered as a specification 
with the asynchronous closed loop system as its implementation. If the given synchronous closed loop 
system and its corresponding asynchronous closed loop system are branching bisimilar [16], then the 
asynchronous closed loop system is said to be a refinement of its corresponding synchronous closed loop 
system. Note that we do not compute an additional supervisor under the presence of delays, instead we 
assume a given plant and its supervisor. Thus, we solve a refinement problem instead of solving a control 
synthesis problem. 

In the past, the idea of solving a refinement problem was studied |H1 [TUl [TQ, but different setups 
(in comparison with the current paper) were used in these studies. These studies were motivated by the 
so-called "Foam-rubber wrapper" principle [15], borrowed from the field of delay insensitive circuits. 
Mathematically, it states that "a process and the same process connected with buffers are equivalent". In 
ll8l . the foam-rubber wrapper principle was also studied in the context of the parallel composition and 
it was shown that an extra condition is required to preserve this principle. In brief, we have a different 
architecture for the asynchronous closed loop system in this paper and we study the components in the 
asynchronous closed loop system conjointly, in order to capture desynchronisability. 



1.1 Architecture 

This paper is a result of the pre-study carried out in where four construction methods are proposed 
to construct an asynchronous closed loop system from its corresponding synchronous one. In this sub- 
section, we introduce the architecture of an asynchronous closed loop system, discuss the reasonability 
of using a bag as a buffer and describe one of the abstraction schemes that will be used throughout this 
paper. We elucidate on these points in the upcoming paragraphs. 

An asynchronous closed loop system can be constructed by introducing a buffer between a plant 
and its supervisor in order to decouple the synchronisation of events between the two. In practice, the 
buffering mechanism is realised by the interactions of different layers (also known as protocol stack) as 
shown in Figure [T] In theory, various authors (U 013 [12] nave abstracted from the interaction of different 
layers by using data structures based on a particular level of abstraction. For example, to model delay 
insensitive (DI) circuits, which are at a lower level of abstraction (physical layer), wires are used as a 
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Figure 1: Asynchronous closed loop system in practice. 



buffering mechanism ifTTI . On the other hand to model data flow networks, which are at a higher level of 
abstraction (in comparison to DI circuits), queues are used as a buffering mechanism [10]. In this paper, 
we are interested in studying the asynchronous interaction in a closed loop system at an even higher 
level of abstraction by having a unique queue for every message. Thus, a queue stores only one type 
of unique message and all queues are allowed to run concurrently without interacting with one another. 
Such interleaving queues are equivalent to a bag modulo strong bisimulation. Hence, we use a bag as the 
buffering mechanism in this paper. 

It is obvious that upon introduction of the bag as a buffer, the asynchronous closed loop system 
contains interactions that are not present in the synchronous closed loop system. However, to relate 
these two closed loop systems by a branching bisimulation relation |[T6l , it is necessary to hide some 
interactions or define a suitable abstraction scheme. In principle, a synchronous closed loop system can 
be converted into an asynchronous closed loop system by introducing bags with the following abstraction 
schemes: 

Ml. by introducing bags between a plant and its supervisor such that the interaction between plant and 
bag is hidden (see Figure 2(a)| ). 



M2. by introducing bags between a plant and its supervisor such that the interaction between supervisor 



and bag is hidden (see Figure 2(b) I 



M3. by introducing bags between a plant and its supervisor such that the communication among the 



input actions of both plant and supervisor with bags are hidden (see Figure 2(c) I 



M4. by introducing bags between a plant and its supervisor such that the communication among the 



output actions of both plant and supervisor with bags are hidden (see Figure 2(d) I. 



In Figure|2j thick lines are used to show the visible interaction and thin lines are used to show the invisible 
interaction. The notation la means 'send action a' and la means 'receive action a\ In this paper, we 
develop the theory for the construction method M 1 (see Section |4] for the rationale behind this choice) 
and leave other construction methods as open for future study. Moreover, the techniques presented in 
this paper are restricted to reactive systems (so, no termination). 
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(a) Construction method Ml. 
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(b) Construction method M2. 
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Figure 2: Different ways to construct an asynchronous closed loop system. 



1.2 Outline 

The remainder of this paper is organized as follows. In Section |2j we start our exposition by defining 
the overall background required for this paper. Section [3] provides a brief introduction to supervisory 
control theory with respect to our setup. In Section [4| the construction method Ml is defined formally 
with its abstraction scheme. In Section[5j we give the formal definition of a desynchronisable closed loop 
system with the conditions that are sufficient for desynchronisability. Finally, in Section|6]we present the 
conclusions and propose some directions for future research. 



2 Background 

In this section, we define the basic notations and definitions that will be used throughout this article. Let 
Act be a set of action names. We use symbols a,b,c,... to range over the set Act. Then we define the 
following actions for an action label a 6 Act, 

• \a: send action label a. 

• la: receive action label a. 

• Ja: communicated action label a. 

Let A denote the set of all possible actions that are defined as, A = {\a, la, Ja} a eAct- The variables 
x, y,z, ■ ■ ■ are used to denote elements from set A when the information about the type of action is irrele- 
vant. The set of all process terms (denoted by P) is then defined by the following grammar. The constant 
is a process term that cannot perform any action, i.e. it can only deadlock. A unary operator x._ for each 
action x € A is introduced in the TCP syntax, denoting an action prefix. Intuitively, the process term x.p 
performs the action x and then behaves as the process p. The binary operator + denotes the alternative 
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composition or choice between any two processes. The encapsulation operator <?#(_), blocks execution 
of actions from H while enduring the execution of other actions from A\H. The abstraction operator 
T/(_) renames the actions from / to X, and leaves other actions unchanged. 

P ::= deadlock process 

x.P action prefix 

P + P alternative composition 

P || „P parallel composition 

dn (P) action encapsulation, where // C A 

T/(P) abstraction (hiding of actions), where / CA 

^ recursive definition 

In the remainder of this paper, we assume that the symbols P,R,S,p,p' ,s,s' . . . range over the set P. 
We fix the capital letters P,R,S for processes associated with supervisory control theory. Note that we 
also use the alphabet operator a and renaming operator p from TCP algebra for technical reasons, but not 
for modeling purposes. The empty process 1 is not defined because we are interested in modeling only 
reactive systems. The notation & denotes a recursion definition by a set of pairs {Xo = to, . . . ,X m = t m } 
where Xi denotes a recursion variable and ti the process term defining it. The parallel composition 
operator is parameterized with a communication function y.AxA^-A such that y(?a, \a) = y(\a, la) = 
?a . 

The semantic domain of the process terms is a transition system (See [3] for details), which is 
achieved by the so-called SOS rules lfl"3l. For the sake of completeness, we give the SOS rules of 
the operators used here in the Appendix |A| 

Definition 2.1. A transition system over a set of actions A is a set Q of states, equipped with a transition 
relation ->CQxAU{t}x!2. The action X g" A denotes the invisible action. In the semantics of TCP, Q 
is usually taken to be the set of process terms, i.e., Q = P, and the initial state of a process is defined as 
the process term itself. □ 

As mentioned in the introduction, we use branching bisimulation to relate a synchronous closed loop 
system and its corresponding asynchronous closed loop system in which X actions are present. The 
presence of X actions in an asynchronous closed loop system will become evident in Section [4j We write 
the transitive closure of the transition relation — > as The symbol = is used to denote syntactical 

equivalence between process terms. The shorthand notation q q' is defined as q = qo . . . 
q n = q' for all q\ G Q with i G [0, n] , n > 0. 

Definition 2.2. A binary relation <I> C Q x Q is called a branching bisimulation relation iff: 



\/q,qi,q',x. (q,q')£&Aq 



3q\ , q' 2 . [q' A> q\ q' 2 A (q, q[) €$A {q X ,q' 2 ) £ *] 



Vq,q U q'. {q,q') G $Aq q\ => (qirf) 6 4»V3^,^. [q' A 



9i 



■q 2 A(q,q[)e<t>A{qi,q 2 )£ 



* 1 



{q,q') e$>Aq'^q' l =>3q u q 2 .[q JL »qi -A q 2 A (qirf) G <J> A € 3>] 

(<7,<7') efA?'A</, =^(^.9i) e$V3?i,ft.[?4>?i -^^A^i,?') G0>A(? 2 ,?i) G 
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Let q,q' G Q be the initial states of processes p,p' G P, respectively. Two processes p and p' are said to 
be branching bisimilar (denoted as p th> p') iff there exists a branching bisimulation relation <I> such that 
there initial states q,q' are related, i.e. (q,q') G □ 

Note that in the absence of t actions, branching bisimulation coincides with strong bisimulation. 
The phenomena of the occurrences of redundant silent steps can be formulated by the following notion 
of T-inertness |9). 

Definition 2.3. Let p G P be an arbitrary process. A process p is said to be %-inert with respect to iib 



x . 



iff for all states q of the transition system (generated by operational rules) of p it holds that q 
q ttb 4 where, q' G Q. □ 

The essence of the above definition is that an inert z action does not affect the future choices of a 
process modulo branching bisimulation. In Section [5] we also show that an asynchronous closed loop 



system constructed from a synchronous closed loop system satisfying Definitions |5.2| |5.4| and [53 
always T-inert with respect to tib- 



is 



3 Supervisory control theory 

In this section, we give a brief introduction to supervisory control theory and define its fundamental 
entities in our setup. The basic entity (a plant, or a supervisor, or a requirement) in the supervisory 



control theory is deterministic. Furthermore, the proof of main Theorem 5.10 requires the fact that 
a given synchronous closed loop system is also deterministic. Therefore, we now introduce the term 
deterministic process. 

Definition 3.1. A process p G P is called a deterministic process iff for all states q of the transition system 
(generated by the operational rules) of p and for all x G A it holds that q — > q\f\q — > q2 =>• qi = qi 
where, (71,^2 G G- □ 

In supervisory control theory, plants and supervisors are allowed to perform events that are divided 
into two disjoint subsets: controllable and uncontrollable events. The idea behind this partition is that the 
supervisor can enable or disable controllable events so that the closed loop behavior is equivalent to the 
requirement. The supervisor can observe but cannot influence uncontrollable events. In this paper, we 
follow the input-output interpretation [4] between a plant and its supervisor; wherein the uncontrollable 
events are outputs from a plant to a supervisor and the controllable events are outputs from a supervisor 
to a plant. Thus, processes that model plants or supervisors must have distinct (because of the above 
partition) input and output actions in its alphabet. Such processes are called input-output processes. 

Definition 3.2. The set of input actions for an arbitrary process p G P is denoted by 05 ? (/?) and is defined 
as oc ? (p) = {?a \ la G oc(p)}. Similarly, the set of output actions (denoted by a{p)) is defined as a ! (p) = 
{la | \a G ce (/?)}. A process p is called an input-output process iff 

a/(p)C\d(p) =0A<?/(/?)i±b p/\z^a(p) 

where, I = {Ja \ a G Act}. □ 

The condition dj{p) t±b P ensures that an input-output process does not contain communicated ac- 
tions in its alphabet. This is because bags are introduced to buffer both input and output events of an 
input-output process p G P. So if communicated actions are allowed in the specification of the process p 
then, the information whether the action ?a is an input or an output action of the process p is unknown. 
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We now define the three basic entities in the supervisory control theory in our setup. A plant P € P 
is a deterministic and an input-output process. Similarly, a supervisor is a deterministic and an input- 
output process. A requirement is a process specifying the legal interaction that should occur while the 
plant and its supervisor are interacting such that a required task (for which the supervisor is synthesised) 
is completed. Thus, a requirement is a deterministic process R G P such that, 

d H (R) i± b /?AT0 a(R), 

where H = {!a, la \ a G Act}. This condition ensures that a requirement process only contains commu- 
nicated actions in its alphabet. 

Now, we can state the control problem as follows: given a plant P and a requirement R, find a 
supervisor S such that, 

d H (P\\ Y S) *±t,R. 

In this paper, we are not interested in how this supervisor is computed and rather assume that we are 
provided with a solution to the above equation. The goal of this paper is then to find certain conditions 
on the given synchronous closed loop system such that it is desynchronisable. Note that in supervisory 
control theory the control problem is based on language equivalence, but branching bisimilarity coincides 
with language equivalence in the presence of determinism and in the absence of z actions. However, we 
use branching bisimulation because the asynchronous closed loop systems as constructed in the next 
section are always nondeterministic. In brief, this cause of nondeterminism is due to the abstraction of 
interactions between a plant and the buffer. 



4 From synchrony to asynchrony 

In the previous section, we formally defined a plant P, a supervisor S and a requirement R in our setup. 
Now, we extend our setup in accordance with the architecture of Subsection [TTTJ to model asynchronous 
communication by introducing two bags between a given plant and its supervisor; one bag that contains 
input actions of P and another one that contains output actions of P. Next we define a multiset and some 
operations over multisets that are necessary for the definition of a bag. 

A multiset t, over the set of communicated actions 7 is a tuple (I, k) where K : I — > N is the cor- 
responding multiplicity function. We write the empty multiset as e, which is defined as (0, Kb), where 
Kb : — > is the zero function. 

Definition 4.1. Let E, = (I, k) be a multiset over the set I. 

• The predicate g' is used to denote an element that belongs to a multiset. It is defined as J a g' £, = 
?aG/AK(?c) >0. 

• The operator © is used to denote an addition of an element to a multiset. It is defined as ^ © ?a = 
(/', K"') where, 

. { Kf?a) + 1, if* = ?aA?aE/ 



\ /□{?«}, rf?«G7 \ K{x) ifx/1WG/ 

The operator © is used to denote a removal of an element from a multiset. It is defined as i§ © J a = 
(/', k') where, 

,_//, K(U)>1 andlc , M _i <?«)-!, if*=?«Afc(? fl )>0 

\ 7\{?a}, <?a) = l amK[X) ~\ k{x), if*/?aAxe/ " 
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For each x G A we define a new element x. Let A denote the set of new elements of the form x. 
Similarly we assume that there exists auxiliary hidden and blocking sets / and H, respectively. 

Definition 4.2. (Bag). Let n > be a natural number representing the size of a bag process. Let e denote 
the empty multiset and % denote a multiset of communicated actions (i.e. the actions that are decorated 
with the symbol ?). Then a bag process over a set of actions A\ C A of size n is defined in the following 
way. 

^(6,0) = £ ?<LBl 1 (ee?a,l) , 

Bl^,i) = £ \&.B n M {£,Qja,i-\)+ £ ?S.Bl 1 (^e?fe,j + l) for every </< « , 
fl^ ($, n ) = £ !<S.fi^e?a,«-l) . 

□ 

The above definition is bounded with variable « that not only helps in modeling a realistic asyn- 
chronous implementation (as they contain buffers with finite memory). In contrast, it also aids in mod- 
eling an asynchronous implementation having buffers of infinite size, i.e., when n = oo. Notation, we 
denote the two interleaving bags as, 

B^[e,e]^B'l( £ ) \\B\ 2 {e) 

where, A\ = a{P), A2 = a l (P) and m > (n > 0) denotes the size of bag associated with input (output) 
actions of the plant P. Furthermore, the sets A\ and A2 denote the set of input and output actions of the 
plant P, respectively. 

Next we formally define an abstraction scheme that implements the construction method Ml. In- 
formally, it decorates the interaction between a plant and the two interleaving bags with the symbol 
1, indicating such interactions are to be made hidden. We write the asynchronous closed loop system 
as Tf(d Hu ft(P |L B m,n [e, e] |L S)) (for some m,n > 0) constructed from its corresponding synchronous 
closed loop system du{P |L S) where, 

• Y : (AUA) x (AUA) — > (AUA) is the modified communication function (or the abstraction 
scheme for method Ml) defined in following way, 

I xa if la G a-(S) I xa if la e or(S) 

Intuitively, the communication function / with the operators T/,<9 HU # ensures the interactions 
between the plant and the bag are invisible while the interactions between the supervisor and the 
bag are visible. 

The rationale behind the choice of Ml is based on the observation that a transition system generated 
by a supervisor S is isomorphic to the corresponding synchronous closed loop system d#(P |L S), modulo 
the difference in the type of action labels [6 ]. This is because in the synthesis of supervisors no transitions 
are introduced that a plant cannot execute. Moreover, the action labels in S will be decorated as either 
an input action (?) or an output action (!) while in du(P \\yS) the same label will be decorated as a 
communicated action (?). Formally, this fact is equivalent to 

p f (S)*±d H (P\LS) 
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Figure 3: Diamond property. 

where, p is the renaming operator from TCP [3] and / : A — > A is a function that renames an input/output 
action to a communicated action, i.e., V?a, la € A.[f(\a) = /(?a) = ?a]. As a consequence, when one 
introduces bags and abstracts the interaction between plant and bags, the supervisor model remains 
unaffected. While in other abstraction schemes this is not the case. Thus, it is easier to study abstraction 
scheme M 1 than other schemes. 



5 Desynchronisable closed loop system 

In the previous section, we have shown how to construct an asynchronous closed loop system from a 
given synchronous closed loop system. In general, the newly constructed asynchronous closed loop 
system will not be branching bisimilar to the given synchronous closed loop system. To this end, we 
introduce a special class of the synchronous closed loop system called desynchronisable closed loop 
system that are always branching bisimilar to their corresponding asynchronous closed loop systems. 
We then present sufficient conditions for desynchronisability. 

Definition 5.1. Let dn(P |LS) be a synchronous closed loop system and let m,n be any two nonzero 
natural numbers. Then, du{P |L S) is said to be desynchronisable with input and output buffers of size n 
and m (or in short desynchronisable closed loop system), respectively, if 

dH(P\\ 7 S)t± b T t (d HU #(P\\ y B m > n [e,e} \\ y S)) . 

□ 

We now present three sufficient conditions for desynchronisability with buffers of arbitrary size. The 



objective of these conditions is the following. The conditions given in Definition 5.2 and Definition 5.3 
prevent an asynchronous closed loop system from getting deadlocked. The condition in Definition 5.4 
ensures that the silent steps introduced by the abstraction scheme are inert. 

Definition 5.2. Let <9//(P |L S) be a synchronous closed loop system. Then, dn{P \\yS) is called well 
posed if there exists a binary relation ffCPxP such that (P, S) 6 W and the following conditions are 
satisfied: 

• y\a,p,p',s.[(p,s) eW Ap p' ^Bs'.ls s' A(p',s') £W]] , and 

• \/\a,p,s,s'.[(p,s) eW As s' ^3p'.[p p' A(p',s') £W]] . 

□ 

We now partition the set / into two disjoint non-empty subsets Ip,Ip with respect to a plant process 
Pas: 

• f P ^{Ja\ ?aeM?aea ? (P)}. 
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l' p ^{fa\Ja£lA\a£a ] (P)}. 



Definition 5.3. Let 11 G 1^ and v G be sequences in Ip and f P , respectively. Let p G P be an arbitrary 
process and let q G Q be its initial state. We define the set of reachable states of p in the following way, 

Reach (q) = {q 1 \ 3w G A* . [q -4> q'] } . 

By the semantics of TCP we know that if the initial state of a process is of the structure || ) then, 
all the reachable states will also be of the same structure. A synchronous closed loop system djj{P \\ y S) 
is said to satisfy the reordering property iff both the following conditions are satisfied, 

• ,P2,s' ,d H (pi \\ySi) £Reach(d H (P\\yS)),^a£lp. 

[d H {pi \\ySi) —h d H {p \\ y s') Ap\ -A p 2 =4> 3s 2 .[d H (pi \\ySi) -=->■ d H (p2 \\yS2)]] 

• ^p' ,s' ,S2,dn{pi WySi) G Reach(d H (P |L 5)), ?fl G /p. 

[<3ff(/?l || r *l) V -^d H (p' \\yS')f\Si 5 2 => 3 j p 2 -[^//(/ ? l ll r J l) ^ff(P2 Hy^)]]- 

□ 

Definition 5.4. Let g G Q be an arbitrary state. Then, q is said to satisfy the diamond property iff the 
following condition (see Figure [3]) holds 

• V?a, Jb G I,qi,q2- q -A qi f\q qj A ?a 7^ ?ft 3*73. [gi -^V 173 A 172 ^3] 

A process /? is said to satisfy the diamond property iff for all reachable states q' from q satisfy the 
diamond property, where q is the initial state of the process p. □ 

For a reader familiar with the concepts of true concurrency [17], the conditions given in Defini- 



tion [34] [53] and 5.4 are similar to the axioms of asynchronous transition system. The formulation of 
these axioms is based on the definition of an independence relation, which is an irreflexive, symmetric 
relation on the set of actions A. However, the techniques for desynchronisability for such models are not 
investigated here, although it will be worthwhile to examine this research direction in the future. Note 
that in our approach we do not need an additional notion of the independence relation. 
Next, we present the following main results of this paper. 



• If an arbitrary synchronous closed loop system satisfy the conditions in Definitions 5.2 5.3 and 



5.4 then, it is a desynchronisable with buffers of arbitrary size. 



The transition system generated by an asynchronous closed loop system constructed from a syn- 



chronous closed loop system satisfying the conditions in Definitions 5.2 5.3 and 5.4 is always 
T-inert with respect to t±t>- 

To prove the above statements, we first fix some notations and then prove some lemmas, which are 
necessary for the proof of main theorem. 

We denote the contents of an arbitrary bag by the symbols t, , i.e., Z, , ^' are of the form (Iq, Kb) and 
(7i, Kj) respectively, where 7o,/i C I. The contents of the bag attached to input actions of P is denoted 
by {JL, i.e., jJ, is of the form (7^, ffy) where 1^ C Ip. Similarly the contents of the bag attached to output 
actions of P is denoted by v, i.e., v is of the form (7 V , fc v ) where I v C l' p . For an arbitrary multiset ^ , we 
define a sequence (denoted as ^) over ^ as, 

V A 

q =<x\.X2- - ■ ■ > 
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such that #(xi,%) = K(xi), where # is a function that returns the maximum number of occurrences of %\ 
in E, for some i > 0. For example consider a multiset % = {?a, ?a, Jb, fb}. Then a possible sequence 
t, over the given E, can be of the form < ?a. Jb. ?a. Jb >. Let f : I* H* be the function defined as 
/i(?a.|) =?fl./i(|). Similarly, let /„:/*-»• #* be the function defined as / (?a.|) =!a./ (|). 

Proposition 5.5. Given a trace <9#(P |LS) -A> dn{p\ \\yS\), we find using the above function _/} and 
semantics of || that P p\ AS 

Proposition 5.6. Similarly, given a trace d# (P |L 5) — ^> dn(pi |L tfi ), we conclude that P pi AS 



The following lemma is a generalisation of Definition 5.4 It states that if two different states qi,q2 
are reachable from a state qo, then there exists a state q? reachable from 171 and q2 such that, the trace 
between qo,qi and the trace between qo,q2 commute. 



Lemma 5.7 (Generalised diamond property). Let d#(P |LS) be an arbitrary synchronous closed 
loop system satisfying the conditions in Definitions ^5.2^ [5. j| and . 
d H (P || 5) — » d#(/*2 L*2) ^en, 



5.4 



//^(P|L5)A>^(pi |Lji) a 



dff(P3 || y J3) Ad H (j>2 WySi)— » d H (P3 L^)]- 



The following Lemmas 5.8 5.9 are the results (See [5] for the proofs) obtained by direct instantiation 



of reordering property (Definition 5.3 ) and generalised diamond property (Lemma [577] ) . 
Lemma 5.8. Let d#(P |LS) be a synchronous closed loop system satisfying the conditions in Defini- 
■5.2 



twns 



5.3 



and 



5.4. 



Suppose ?fl£/pA 9h(P \\yS) —h du{pi |L s%) AP — > p\ then, 



3ji 



y 

d H (P || 5) d H (pi || s\ 



Lemma 5.9. Let 9h(P || yS) be a synchronous closed loop system satisfying the conditions in Defini- 
Suppose Ja £ IpA 9h(P |L5) — 4> dn(p3 \\yS3) AS — )• *i f/ierc, 



f/ows p.2l 5J and 



5.4. 



^(P 



■ S) dff(pi 



<M/?3 L*3) 



We now pose the main theorem of this paper which proves the following statement. If the given syn- 



chronous closed system satisfies the conditions in Definition 5.2 5.3 and |5.4| then it is desynchronisable 
independent of the size of the buffers introduced between the given plant and its supervisor. 

Theorem 5.10. Let d#(P |L 5) be an arbitrary synchronous closed loop system satisfying the conditions 
in Definitions 5.2 5. 3\ and \5~4\ Then for any m,n > we have, 



d H (P || 5) t± b ? t {d Huft {P |L zr>"[e,e] |L 5)). 
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C4 and C5 



^HudP' 11/ B" h "[p.,£] \\ yS )) 




'*iid„ uf )(p'\\ Y B m ' n [e,v} \\ys))' 



Figure 4: Illustration of relation <I>. 

Proof. Let p,p',s be free process variables. Let /x, v be two free variables representing the contents of 
an input and an output bag of P, respectively. Then, define a relation <I> as follows. 

^={(d H (p \\ 7 s), T,(<W (P 1 1 Y B m ' n [ri,v]\\ y s))) | 

(p' =pAjU = £AV = ej\/ [CI] 

(ji = e A 3s'. [d„ (p 1 1 y f ) 4> d# (/ 1 1 y /)] ) V [C2] 

(v = £ a v. (// n y y) 4> ^ n y s )] ) V [C3] 

(vvy-tw ii/) <£- w u/o 4> n y ,)]) v [C4] 

(Bp" ^ .[d H (j> \\yS)-^- d H (p" \\ys") d H {p' 11/)]) }• [C5] 

Note that the above conditions CI, C2, C3, C4 and C5 are independent of n,m. The proof of the theorem 
is based on showing that <I> is a witnessing branching bisimulation relation. The intuition behind the 
definition of <I> is the following. A state du{p \\ y s) in a synchronous closed loop system is related to 
those states in an asynchronous closed loop system that contain the same supervisor state s. The <I> 
relation between two states is indicated by dotted lines in Figure |4] The complete proof requires a 
lot of case distinction and can be found in 0. Here we discuss the different cases that are present in 
the proof and give the list of lemmas that are applied in each case. Let q c ,q u be the initial states of the 
processes dn(p |L s) and t[{d Hu fj{p' |L B mM [jX, v] |L s)), respectively. From the definition of branching 
bisimilarity we need to show the following four transfer conditions: 

1. \/Va,q c ,q' c ,q a .[q c q' c A(q c ,q a ) £ <t> ^ 3q' a ,q".[q a A> ^ 4^A(fc^,(?' c ^')6$]]. 

2. Vq c ,q' c ,q a .[q c — ^ q' c A ( 9c ,g fl ) € <I> (^,? a ) 6 <I> V 3^,<.[^ -4> ^ ^' A (? c ,^), (^,9a) G 
*]]• 

3- Vqc,qa,q' a -[q a ^q a /\(qc,qa) £®^(q a ,q c ) £^3q' c ,q'^[q c ^ q' c ^ € ^Wc^a)M'c^'a) G 
*]]■ 
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4. V ?a , q c , q a , q' a . [q a -4 q' a A (q c , q a ) G $ 3^ , 4' c . [q c ^ ^' A 9a ) , {q " c , q' a ) G *] ] . 

Since the synchronous closed loop system does not contain z actions in its alphabet, there are fol- 
lowing three effects on the above transfer conditions. 

• The above condition 2 will be vacuously satisfied. 

• The condition 3 will be reduced to the simpler form, 

Vqc,q a ,q' a - [q a q' a a (q c ,q a ) g <i> (<? f ,g'J g *] . 

• And similarly condition 4 will be reduced to: 

? ? 

\/1a,q c ,q a ,q' a .[q a ^q' a A (q c ,q a ) G <I> => Vc-fec ^4 q' c ^ (q' c ,q' a ) 6 *]]■ 

But to show that these conditions hold, we need to know whether an action label ?a occurring in each 
condition is either an input or output action with respect to P, i.e. ?a G f P or ?a G /p. Thus, we get 
six transfer conditions in total that are shown in Table [TJ Furthermore, for each case we apply case 
distinction based on the structure of pt and v. In each subcase we use CI, C2, C3, C4, and C5 (the 
conditions from the definition of <J>) to determine the relation between free process variables p,p' and 
then prove the conclusion as shown in Table jlj The notation X = T<p a (?a) is used to denote that the z 
action is a result of abstraction of the communicated action ?a. 



Table 1: Proof structure of Theorem 15. 101 



Case No. 



Hypothesis 



Conclusion 



Tl q c q' c A (q c ,q a ) G <I> A fa G fj>. 
? 

T2 q c ^4 q' c A (q c ,q a ) £<J>A?fl£/p. 
T3 q a ^q' a A(q c ,q a )e^Alae4 
AT=T ?(( (?fl). 

T4 q a ^q' a f\ G * A ?a G /j, 

AT = T ?<j (?a). 
? 

T5 q a ^q' a /\ G <I> A ?a G /p. 

T6 ?A«iA(? C) « fl )6fA?fl€4' 



* ? 

a^^'-fe^^^^Afe,^),^,^') g*. 
{ic,q'a) g 0. 



3?r[? c 4 9 ' c A( 9 , c , ? l)e$.] 



In Table [2] we present the list of lemmas required to prove each case. 

□ 

In hindsight, what we have actually proven is that all T actions generated by the abstraction scheme 
are T-inert with respect to tib • The following corollary states this fact. 

Corollary 5.11. Let q c be a process of the form dn{P \\yS). And let q a be an asynchronous closed loop 
system of the form ^j{d Hu f{{P' |L B m ' n [n, v] \\y S)) such that (q c ,q a ) G <t>. Then, 

Vqc,qa,q' a -[(qc,q a ) £®Aq a ^q' a =>q a ^ b q' a ]. 
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Case No. 


List of lemmas 


Tl 


Lemma 


5.7 








T2 


Lemma 


5.7 


and Proposition 


5.5 




T3 


Lemma 


5.7 


and Lemma 


5.8 




T4 


Lemma 


5.7 








T5 


Lemma 


5.7 


and Lemma 


5.9 





Table 2: List of lemmas applied in each case. 



6 Conclusions and future work 

In this paper, we presented sufficient conditions for desynchronisability in a process algebraic setting 
and showed that an asynchronous implementation using bags (of arbitrary size) is a refinement of the 
synchronous closed loop system satisfying these conditions. The prominent features of our work can be 
summarised in the following main points: 

• We solve a refinement problem instead of a supervisory control problem, and do not compute a 
new supervisor in the presence of buffers, as done in (4l IT8l . Our approach is intended to be 
computationally cheaper than the one developed in [TH, however this conjecture needs to be 
verified by analysing the complexities associated with the conditions presented here. In particular, 
we conjecture that supervisory control theory always results in synchronous closed loop systems, 



which are well-posed (Definition 5.2 ), but the other conditions, (Definition 5.3 and Definition 5.4 1, 
are not likely to be attained so easily. 

• We present our conditions for desynchronisability over the components of a synchronous closed 
loop system conjointly, in contrast with [ 8 ] , where the check for the foam rubber wrapper principle 
on the two components was applied separately. Note the sender domination property from |j8l is 
equivalent to the well posed condition (Definition |5.2| ). However, the two approaches are incompa- 
rable because in [ 8 ] the construction method M3 was studied while in this paper the construction 
method Ml is studied. 

• We use branching bisimulation equivalence instead of failure equivalence that was adopted in lH. 
As a consequence our techniques are applicable to all the weak equivalences in 'van Glabbeek 
spectrum' |[l6ll (including failure equivalence). The branching bisimulation is the preferred equiv- 
alence in TCP process algebra under the presence of z action J3). Furthermore, the conditions (well 
posedness and diamond property) given here are similar to the ones mentioned in [8], where desyn- 
chronisability was characterised modulo failure equivalence. Thus, we conjecture that achieving 
desynchronisability for weaker equivalences will not lead to weaker sufficient conditions. 

A question that was not treated in this paper, is whether the conditions we posed are in fact rea- 
sonable for industrial applications. This may become clear in the near future, when we study the case 
studies involved with supervisory control theory in the context of MULTIFORM project (TJ with the 
language CIF [2]. The authors of CIF are currently developing techniques that will incorporate supervi- 
sory control theory and model based engineering into a single framework, thus making it suitable for the 
design of industrial applications. In particular, the elevator case study and the toy example, which were 
desynchronisable in [6] using the construction method Ml, satisfy our conditions. 

Another question is whether the conditions given are actually necessary for desynchronisability mod- 
ulo branching bisimilarity. Formally speaking, they are not, and counter-examples have been found al- 



though we do not give them here. We anticipate that the diamond property (Definition 5.4 1 can be further 
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weakened. In particular, if the actions Ja,Jb G i], are enabled at a state q then it may not be necessary 
for the traces J a. Jb and Jb. J a to commute. 

Lastly, the research performed in this paper can of course be repeated for different architectures. One 
might study whether wires or queues can be used instead of bags, or study different abstraction schemes, 
or try to study the conditions for desynchronisability by focusing on other notions of weak equivalences. 
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A Operational semantics of TCP 

In this section, we give the SOS rules for the operators used in this paper. Note that the rules for sym- 
metric case (in the context of binary operators) are not given. 

X i X i X I X 1 i / i\ ii 

1 p — > p p — >p p — >p,q — >q,y[x,x)=x 



x.p — >p p + q—^p' p\\ Y q — >p' \\ y q p ||^ q JL, p > ||^ q > 

q + P^P' q\\ r p^q\\ Y p> q\\, p ^ q> \\ y p> 

„ p^p',x£H p^p',x^I p^p',xel 

6 7- 



d H (p) d H {p') T/O) Z,{p) T/(p) -A Zi{p) 

n t JL +p,X =t p-Z+pfj-.A-tA 



X 0^P p f{p) !±%p f{p ') 

Definition A.l. The alphabet of a process p, written as a(p), is the set of atomic actions that it can 
perform. It is defined for the following closed terms. 

a(0) = 

a(x.p) = {x}ua(p) 

a(T.p) = a( P ) 

a {p + q) = oc{p)Ua(q) 

Note that a is not defined explicitly for the operators |L, djj, %i because these operators can be eliminated 
(See the corresponding elimination theorems in Q). □ 



